We are looking at renting a VMWare ESXi server through a provider. This VMWare ESXi server will be allocated a public IP. Most of the VMs that we will host on this server is only meant to be used internally.
My question is if it would be possible to set up a VPN tunnel (ipsec) from the gateway in our office (Cisco RV082) to the VMWare host server so that we do not have to expose all VMs to the internet? We do not have access to any equipment in front of the VMWare host server.
For example, would it be possible to configure such a tunnel on e.g. a Debian VM, and then achieve the following;
- We can reach all the VMs on the VMWare host via a local ip address on our intranet
- The VMs can reach machines on our intranet via a local ip address
The alternative to this I guess would be to 'buy' 1 public IP address from the provider per VM, and then access the VMs over the internet, each with its own iptables configuration to block access from IPs not stemming from our office.
Any help is appreciated.
Best Answer
No. You can't install third party services like a VPN client on the hypervisor.
This is what you need:
A management IP address for ESXi itself. This can be public, or it can be private, as long as you can reach it to manage. If it's public, make sure it's firewalled off well.
A VM to act as a VPN gateway (OpenVPN, pfsense, RRAS, whatever)
At least one public IP address for a VM to act as the VPN gateway.
A public vSwitch that has the public interface for your VPN gateway VM.
A private vSwitch that the rest of your "private only" VMs connect to.
You'll connect your VPN VM to both vSwitches and configure routing through it. This way, you'll tunnel to a VM that has access to both the public network (so that you can VPN into it) and the private network so that your VMs aren't exposed to the outside world unnecessarily and you won't need public IPs for all of them.